x509

Documentation

Overview

Package x509 provides authentication strategy, to authenticate HTTPS requests and builds, extracts user informations from client certificates.

Example

opts := x509.VerifyOptions{}
opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
opts.Roots = x509.NewCertPool()
// Read Root Ca Certificate
opts.Roots.AddCert(readCertificates("ca")[0])

// create strategy and authenticator
strategy := New(opts)
authenticator := auth.New()
authenticator.EnableStrategy(StrategyKey, strategy)

// user request
req, _ := http.NewRequest("GET", "/", nil)
req.TLS = &tls.ConnectionState{PeerCertificates: readCertificates("client_valid")}

// validate request
info, err := authenticator.Authenticate(req)
fmt.Println(info.UserName(), err)

// validate expired client certificate
req.TLS = &tls.ConnectionState{PeerCertificates: readCertificates("client_expired")}
info, err = authenticator.Authenticate(req)
fmt.Println(info, err.(errors.MultiError)[1])

Output:

host.test.com <nil>
<nil> x509: certificate has expired or is not yet valid

Index

• Constants
• Variables
• func New(opts x509.VerifyOptions) auth.Strategy
• type InfoBuilder

Examples

• Package
• InfoBuilder

Constants

const StrategyKey = auth.StrategyKey("x509.Strategy")

StrategyKey export identifier for the x509 strategy, commonly used when enable/add strategy to go-guardian authenticator.

Variables

var (
	// ErrMissingCN is returned by DefaultBuilder when Certificate CommonName missing.
	ErrMissingCN = errors.New("x509.strategy: Certificate subject CN missing")
	// ErrInvalidRequest is returned by x509 strategy when a non TLS request received.
	ErrInvalidRequest = errors.New("x509.strategy: Invalid request, missing TLS parameters")
)

var Builder = InfoBuilder(func(chain [][]*x509.Certificate) (auth.Info, error) {
	subject := chain[0][0].Subject

	if len(subject.CommonName) == 0 {
		return nil, ErrMissingCN
	}

	exts := map[string][]string{
		"country":       subject.Country,
		"postalCode":    subject.PostalCode,
		"streetAddress": subject.StreetAddress,
		"locality":      subject.Locality,
		"province":      subject.Province,
	}

	return auth.NewUserInfo(
		subject.CommonName,
		subject.SerialNumber,
		subject.Organization,
		exts,
	), nil
})

Builder define default InfoBuilder by building Info from certificate chain subject. where the subject values mapped in the following format, CommonName to UserName, SerialNumber to ID, Organization to groups and country, postalCode, streetAddress, locality, province mapped to Extensions.

Functions

func New

func New(opts x509.VerifyOptions) auth.Strategy

New returns auth.Strategy authenticate request from client certificates

Types

type InfoBuilder

type InfoBuilder func(chain [][]*x509.Certificate) (auth.Info, error)

InfoBuilder declare a function signature for building Info from certificate chain.

Example

opts := x509.VerifyOptions{}
opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
opts.Roots = x509.NewCertPool()
// Read Root Ca Certificate
opts.Roots.AddCert(readCertificates("ca")[0])

// create strategy and authenticator
strategy := New(opts)
Builder = InfoBuilder(func(chain [][]*x509.Certificate) (auth.Info, error) {
	return auth.NewDefaultUser("user-info-builder", "10", nil, nil), nil
})
authenticator := auth.New()
authenticator.EnableStrategy(StrategyKey, strategy)

// user request
req, _ := http.NewRequest("GET", "/", nil)
req.TLS = &tls.ConnectionState{PeerCertificates: readCertificates("client_valid")}

// validate request
info, err := authenticator.Authenticate(req)
fmt.Println(info.UserName(), err)

Output:

user-info-builder <nil>